Outdated Roundcube package in Ubuntu


I am a bit concerned about the outdated Roundcube package in Ubuntu Server. In lights of the zero day published today I checked on the versions we receive from the ubuntu repositories and that made me quite nervous.

I know that this is probably better addressed to the ubuntu folks but I wonder what people here are actually doing about this. If Ubuntu is not providing new packages soon do you update roundcube by hand on your boxes? Do you disable Roundcube for good?


My ubuntu shows Roundcube Webmail 1.6.1 which is still vulnerable

Link to CVE-2023-5631

Posted on slack but it looks like we are going to need a release to patch this since it is installed via script that targets 1.6.1 here https://github.com/mail-in-a-box/mailinabox/blob/main/setup/webmail.sh

Thanks for the pointer. I honestly thought we were using the packages provided by Ubuntu. Since it is not the case, we probably need another version bump in MIAB (hopefully soon)

Saw that Roundcube was updated to 1.6.4 here: https://github.com/mail-in-a-box/mailinabox/pull/2317. Doesn’t look like it has been released yet though.

In the latest update that has an issue with the versioning the roundcube update is now included.

Mail-in-a-Box does not use Roundcube as packaged by Ubuntu. Roundcube is installed directly from source. The most recent release V65 includes the upgrade to Roundcube 1.6.4.